RE: VRFs with FWSM

You could also build rules to only allow certain traffic across interfaces,
but it won't work for overlapping address scenarios. The context solution
builds upon the VRF solution properly.

David

--
http://dcp.dcptech.com
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> karim jamali
> Sent: Friday, November 05, 2010 6:31 AM
> To: David Prall; Cisco certification
> Subject: Re: VRFs with FWSM
> 
> Hi David,
> 
> Thanks for your support. Any other method to do this without using FWSM
> contexts?
> 
> Best Regards,
> 
> On Fri, Nov 5, 2010 at 7:46 AM, David Prall <dcp_at_dcptech.com> wrote:
> 
> > You've got the concept exactly as it should be.
> >
> >
> > Server 1 --> VLAN1 --> FWSM Context 1 --> VLAN2 --> Int VLAN2 vrf
> cust1
> >
> > Server 2 --> VLAN3 --> FWSM Context 2 --> VLAN4 --> Int VLAN4 vrf
> cust2
> >
> > David
> >
> > --
> > http://dcp.dcptech.com
> >
> >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On
> Behalf Of
> > > karim jamali
> > > Sent: Thursday, November 04, 2010 5:34 PM
> > > To: Cisco certification
> > > Subject: OT:VRFs with FWSM
> > >
> > > Dear Experts,
> > >
> > > I would like to enquire regarding about a scenario I am facing
> which is
> > > as
> > > follows:
> > > -I have two Core Switches (6509) having FWSM modules and running in
> VSS
> > > Mode
> > > on one side which is connecting in fact the clients.
> > > -I have another two core switches (6509) having FWSM
> modules/running in
> > > VSS
> > > where the servers are connected (applications.etc).
> > >
> > > An internal MPLS cloud will be built and the goal is to be able to
> keep
> > > the
> > > traffic of clients seperate (using VRFs) i.e. every client has his
> own
> > > set
> > > of servers/user subnets and those subnets will be put into a VRF.
> MBGP
> > > will
> > > be run in order to share/isolate one customer's routes from
> another.
> > >
> > > Now the question that comes to my mind is that FWSM doesn't support
> > > VRFs,
> > > thus I won't be able to terminate the VLANs on the FWSM for
> security
> > > policies. If I terminate the VLANs on the FWSM how will I be able
> to
> > > achieve
> > > route isolation through VRF? The only solution I could think of is
> to
> > > use
> > > multiple contexts on the FWSM (one per client) and every context
> > > outside
> > > interface will be pointing to an SVI which will be in a certain
> VRF.
> > > However
> > > I don't find this to be very practical.
> > >
> > > I am not an expert on MPLS/VRFs, but all I need is to be able to do
> an
> > > isolation of Routes into VRFs and use the security policies of FWSM
> at
> > > the
> > > same time.
> > >
> > > Your help will be greatly appreciated.
> > >
> > > --
> > > KJ
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> >
> >
> >
> 
> 
> --
> KJ
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net